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(57) Abstract: This invention relates to a method for identifying and initializing digidzed biometric characteiisdcs to enable the 
encryption or encoding of confidential data. 

(57) Zusammenfassung: Beschrieben wird ein Verfahren zur IdentifLzierung und Initialisiening von digitalisierten biometrischen 
Merkmalen, um eine Verschlusselung bzw. Kodienmg gefaeimer Daten bereitzustellen. 
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Applicant: Koija VOGEL et al. 

For: METHOD OF DATA PROTECTION 



PCT/DO/EO/US 
Attorney Docket: VOGE3001/JEK 



PRELIMINARY AMENDMENT 

Commissioner for Patents 
Washington, D.C. 20231 

Sir: 

Tliis paper accompanies documents submitted to establish the U.S. national 
stage of the above-identified international patent application. 

The international patent application was amended under POT Article 34 and the 
claims as-amended in the English language are annexed to the International 
Preliminary Examination Report (I PER). 

Before calculation of the filing fee and before examination, kindly amend the 
claims as annexed to the I PER as follows: 

IN THE CLAIMS : 

Please amend the claims as annexed to the IPER as shown on the appended 
APPENDIX OF CLAIMS, which includes amended and non-amended claims. Also 
appended hereto an APPENDIX OF MARKED UP VERSION OF CLAIMS showing the 
changes which have been made. 

REMARKS 

All rights are reserved to the original claimed subject matter. The claims have 
been amended to reduce the filing fees and to restate the inventive subject matter in 



International Application No. PCT/E POO/07597 
Attorney Docket: VOGE3001/JEK 



clear terms. None of the amendments are intended to narrow any element of the 
claims as they stood prior to amendment. Examination of the application as amended 
is respectfully requested. 



Respectfully submitted. 
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APPENDIX OF CLAIMS 



1 (Amended). A method for protecting data having an authentication phase 
comprising the following steps: 

(a) providing a biometric feature; 

(b) digitizing the biometric feature to create digitized biometric 
authentication feature data; 

(c) decrypting an encrypted code word on the basis of the digitized 
biometric authentication feature data; 

(c) recovering secret data by means of a decryption of the code word 
on the basis of the digitized biometric authentication feature data and on the basis 
of a coding-theory method with a correction capacity, the correction capacity being 
freely selectable. 

2(Amended). The method according to claim 1 having an initialization phase 
comprising: 

after providing a biometric feature, digitizing the biometric feature to 
create digitized biometric feature data; 

providing secret data; 

encrypting on the basis of the digitized biometric feature data and fault 
tolerantly coding the secret data. 

3(Amended). The method according to claim 2 including using the 
consecutive steps: 

fault-tolerantly coding the secret data to create a code word; 

encrypting the code word on the basis of the digitized biometric feature 
data to create an encrypted code word. 
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4(Amended). The method according to clainn 3, wherein the code word is 
generated by a generating matrix. 

5(Amended). The method according to claim 2 including the step of creating 
initial correction data to describe the space of allowed code words. 

6(Amended). The method according to claim 2 including the step of providing 
initialization correction data on the basis of the digitized biometric feature data. 

7(Amended). The method according to claim 1 including the steps: 

creating authentication correction data on the basis of the digitized 

biometric authentication feature data; 

recovering the digitized biometric feature data on the basis of the 

authentication and initial correction data; 

decrypting encrypted secret data on the basis of the recovered 

digitized biometric feature data. 

8(Amended). The method according to claim 7, wherein the initial correction 
data are created by calculation of the digitized biometric feature data modulo n. 

9(Amended). The method according to claim 7. wherein the authentication 
correction data are created by calculation of the authentication feature data modulo 
n. 

lO(Amended). The method according to claim 2, including using user- 
specific initial correction data and/or user-specific fault-tolerant coding. 

11 (Amended). The method according to claim 2, wherein a public and a 
secret part are determined or estimated from the biometric feature. 
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12(Amended). The method according to claim 11, wherein the separation 
into a public and a secret part of the biometric feature is effected with the aid of 
empirical inquiries. 

13(Amended). The method according to claim 1, wherein a hash value is 
created from the digitized biometric feature data with the aid of a hash function. 

14(Amended). The method according to claim 1, wherein a hash value is 
created from the digitized biometric authentication feature data with the aid of a 
hash function. 

15(Amended). The method according to claim 1. wherein the biometric 
feature is a behavioral biometric. 

16(Amended). The method according to claim 1, wherein the biometric 
feature consists of a handwritten signature. 

1 /(Amended). The method according to claim 16, wherein the handwritten 
signature is broken down into a public and a secret part and the secret part is a 
proper subset of the dynamic information of the signature. 

18(Amended). The method according to claim 1. wherein the providing 
and/or digitizing of the biometric feature is effected several times. 

1 9(Amended). The method according to claim 1 , wherein the secret data are 
generated with a public-key method. 

20(Amended). An apparatus for carrying out the method according to claim 
1, comprising: 



3 



.Ja^ S .3 1 Jl ^"J^ 'M M^i^ . ^' . ^Ti. 



International Application No. PCT/EPOO/07597 
Attorney Docket: VOGE3001/JEK 

digitizing apparatus arranged to digitize a biometric feature to thereby 
create digitized biometric feature data; 

a secret data generator comprising; 

apparatus arranged to fault-tolerantly code and decode the secret 

data; and 

encrypting and decrypting apparatus arranged to encrypt and decrypt 
the fault-tolerantly coded secret data with the aid of the digitized biometric feature 
data. 

21 (Amended). The apparatus according to claim 20 including apparatus 
arranged to create code words. 

22(Amended). The apparatus according to claim 20 including apparatus 
arranged to create initial correction data. 

23(Amended). The apparatus according to claim 20 including apparatus 
arranged to provide a hash value. 

24(Amended). The apparatus according to claim 20 including apparatus 
arranged to break down the biometric feature into a public and a secret part. 

25(Amended). The apparatus according to claim 24 wherein the apparatus 
arranged to break down into a public and a secret part the biometric feature is 
further arranged to do so with the aid of statistical inquiries. 

26(Amended). The apparatus according to claim 2, including apparatus 
arranged to capture a handwritten signature as a biometric feature. 
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APPENDIX OF MARKED-UP VERSION OF CLAIMS 



1 (Amended). A method for protecting data having an authentication phase 
[with] comprising the following steps: 

(a) providing a biometric feature; 

(b) digitizing the biometric feature to create digitized biometric 
authentication feature data; 

(c) decrypting an encrypted code word on the basis of the digitized 
biometric authentication feature data; 

(c) recovering secret data by means of a decryption of the code word 
on the basis of the digitized biometric authentication feature data and on the basis 
of a coding-theory method with a correction capacity, the correction capacity being 
freely selectable. 

2(Amended). [A] The method according to claim 1 having an initialization 
phase [with the following steps] comprising : 

[(a)] after providing a biometric feature[;] [(b)] ^digitizing the biometric 
feature to create digitized biometric feature data; 

[(c)] providing secret data; 

[(d)] encrypting on the basis of the digitized biometric feature data and 
fault tolerantly coding the secret data. 

3(Amended). [A] The method according to claim 2 [having] including using 
the consecutive steps: 

[(a)] fault-tolerantly coding the secret data to create a code word; 

[(b)] encrypting the code word on the basis of the digitized biometric 
feature data to create an encrypted code word. 
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4(Amended). [A] The method according to claim 3, wherein the code word is 
generated by a generating matrix. 

5(Amended). [A] Ihe method according to claim 2 [having the following step:] 
including the step of creating initial correction data to describe the space of allowed 
code words. 

6(Amended). [A] Ihe method according to claim 2 [having the following step:] 
including the step of providing initialization correction data on the basis of the 
digitized biometric feature data. 

7(Amended). [A] Ihe method according to claim 1 [having] including the 
[following] steps: 

[(a)] creating authentication correction data on the basis of the 
digitized biometric authentication feature data; 

[(b)] recovering the digitized bio metric feature data on the basis of the 
authentication and initial correction data; 

[(c)] decrypting encrypted secret data on the basis of the recovered 
digitized biometric feature data. 

8(Amended). [A] Ihe method according to claim [6] Z. wherein the initial 
correction data are created by calculation of the digitized biometric feature data 
modulo D. 

9(Amended). [A] The method according to claim 7, wherein the authentication 
correction data are created by calculation of the authentication feature data modulo 
n. 
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lO(Amended). [A] Ihe method according to [claims 2 to 9 having] claim 2, 
including using user-specific initial correction data and/or user-specific fault-tolerant 
coding. 

11 (Amended). [A] Ihe method according to [any of claims 2 to 101] claim 2, 
wherein a public and a secret part are determined or estimated from the biometric 
feature. 

1 2(Amended). [A] Ihe method according to claim 1 1 , wherein the separation 
into a public and a secret part of the biometric feature is effected with the aid of 
empirical inquiries. 

13(Amended). [A] Ihe method according to [claims 1 to 1 1] claim 1 , wherein 
a hash value is created from the digitized biometric feature data with the aid of a 
hash function. 

14(Amended). [A] Ihe method according to [any of claims 1 to 13] claim 1, 
wherein a hash value is created from the digitized biometric authentication feature 
data with the aid of a hash function. 

15(Amended). [A] The method according to [any of the above claims] claim 
1, wherein the biometric feature is a behavioral biometric. 

1 6(Amended). [A] Ihe method according to [any of the above claims] claim 
1. wherein the biometric feature consists of a handwritten signature. 

1 /(Amended). [A] Ihe method according to [any of the above claims] claim 
16 , wherein the handwritten signature is broken down into a public and a secret part 
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and the secret part is a proper subset of the dynamic information of the signature. 

18(Amended). [A] Ihe method according to [any of the above claims] claim 
1, wherein the providing and/or digitizing of the biometric feature is effected several 
times. 

19(Amended). [A] The method according to [any of the above claims] claim 
1, wherein the secret data are generated with a public-key method. 

20(Amended). An apparatus for carrying out the method according to [any 
of the above claims, having] claim 1. comprising : 

[(a)] [means for digitizing] digitizing apparatus arranged to digitize a 
biometric feature to thereby create digitized biometric feature data; 

[(b)] [means for providing] a secret data generator comprising ; 
[characterized by] 

[(c) means for] apparatus arranged to fault-tolerantly [coding] code 
and [decoding] decode the secret data; and 

[(d) means for encrypting and decrypting] encn/pting and decrvpting 
apparatus arranged to encrvpt and decn/pt the fault-tolerantly coded secret data 
with the aid of the digitized biometric feature data. 

21 (Amended). [An] Ihe apparatus according to claim 20 [having means for 
creating] including apparatus arranged to create code words. 

22(Amended). [An] The apparatus according to claim 20 [having means for 
creating] including apparatus arranged to create initial correction data. 

23(Amended). [An] The apparatus according to [any of claims 20 to 22 having 
means for providing] claim 20 including apparatus arranged to provide a hash value. 
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24(Amended). [An] The apparatus according to [any of clainns 20 to 23 having 
means for breaking] claim 20 including apparatus arranged to break down the 
biometric feature into a public and a secret part. 

25(Amended), [An] The apparatus according to claim 24 [having means for 
breaking] wherein the apparatus arranged to break down into a public and a secret 
part [of] the biometric feature is further arranged to do so with the aid of statistical 
inquiries. 

26(Amended). [An] The apparatus according to [claims 20 to 26 further 
having means for capturing] claim 2, including apparatus arranged to capture a 
handwritten signature as a biometric feature. 
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Method for protecting data 

This invention relates to the protection of data, in particular a method for guaran- 
teeing authenticity and integrity of digitized data on the basis of biometric features. 

In the course of increasing globalization in almost all areas of the economy, par- 
ticularly new information technologies are of ever greater importance. This primarily 
applies to the progressive use of electronic communication networks, the best known 
form presumably being the Internet. The increasing international exchange of goods 
and services makes it absolutely necessary for information to be transmitted safely. At 
present, the value of monetary transactions many times exceeds that of the exchange of 
goods. This data traffic is handled at present in some form over electronic communica- 
tion networks (e.g. electronic transactions such as e-commerce). This form of commu- 
nication, as in the nonelectronic sphere, involves the need for the parties to the transac- 
tion to be able to rely on statements (in particular declarations of intention) during the 
transaction both on the content and on the identity of the other party. Since such elec- 
tronic transactions (on-line transactions) normally involve no direct contact of the par- 
ties and the data are only present in electronic form, however, this cannot be achieved 
by face-to-face interaction as usual otherwise. Without the possibility of authentication 
and protection of transaction data against manipulation, realization is inconceivable. A 
reliable check of data integrity is also of great importance with respect to the protec- 
tion of electronic stored personal data. Digital signatures are one way of ensuring the 
authenticity and integrity of data. Only authorized persons, groups or machines can 
make changes on data. Additionally, anyone can ascertain whether a signature is au- 
thentic. 

Known signature methods use a so-called asymmetric encryption method. The 
basic course of such a method will be outlined in the following. 

For each participant in the signature system a key pair is generated, for example a 
secret and a public key, which have a certain mathematical relationship to each other. 
To generate the digital signaUire the sender uses his secret key, normally as a special 
signature feature. The document to be signed is first compressed by a so-called hash 
method, the resulting digest linked with the secret key according to a predetermined 
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algorithm and the result appended to the document to be transferred as a digital signa- 
ture. The recipient now likewise compresses the document and compares this digest 
with the digest contained in the digital signature which results by decrypting the signa- 
ture with the sender's public key. In case of a match it is certain that the sent and re- 
ceived texts are the same, i.e. there have been neither manipulations nor transfer er- 
rors. It is also certain that only the sender, who is in the possession of the secret key, 
can have generated the signature because the public key would otherwise not "fit," i.e. 
no transformation to the original digest could have taken place. 

The security of modem signature methods is based on the fact that the private 
signature key cannot be determined according to the current level of knowledge even 
if the plaintext, the signed text and the affiliated public signature key are available to 
the attacker. An example of an asymmetric encryption method is RSA. The RSA 
method was named after its developers: Ronald L. Rivest, Adi Shamir and Leonard 
Adleman, who presented the method in 1977 ("On Digital Signatures and Public Key 
Cryptosystems," MIT Laboratory for Computer Science Technical Memorandum 82, 
April 1977) and in 1978 ("A Method for Obtaining Digital Signatures and Public-Key 
Cryptosystems," Communications of the ACM 2/1978). RSA is based on number- 
theory considerations, it being assumed that large numbers are difficult to factorize, 
i.e. resolve into prime factors. This is the so-called factorization problem. The assumed 
computing effort is so great that the encryption can virtually not be broken by a bmte- 
force attack if the keys are suitably chosen. No cryptanalytic attacks are published. 

Thus, such an asymmetric encryption method permits a signed document to be 
associated uniquely with a signature key. The association of a signed document with a 
person or organization is still problematic, however. For it to succeed, the following 
conditions must be guaranteed. Firstly, only the rightful owner has access to his pri- 
vate signaUire key and, secondly, each public key has the rightfiil owner of the affili- 
ated private key associated therewith in unique fashion. 

To meet the first condition there is the possibility of identifying the rightful 
owner of the signature key by biometric features. 

To meet the second condition many systems include so-called trusted third par- 
ties: third parties who are not directly involved in the transaction and whose tmstwor- 
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trustworthiness can be considered certain. The system of mutual tmst and checks is fre- 
quently called the trust model. 

Examples of the use of signature methods for authentication and checking data 
integrity are: contracts concluded electronically over the Internet or another data net- 
work; electronic transactions (cf. e-commerce); controlled access to resources (e.g. 
data connections or external memory systems); process control data which are ex- 
ported and read into production plants; personal data management (e.g. patient data 
management or in govemment agencies). 

As with every security system, there are numerous possibilities of attack with 
signature methods known today. These are presented in a table in Fig. 6. 

Known signature systems are for example so-called smart card systems. Many 
systems based on smart cards offer good protection against attacks on the key itself 
(cryptanalytic attacks), brute-force attacks (BFA) and attacks on the hardware on 
which the key is stored. However, replay and fake-terminal attacks (RA) as well as 
attacks on the users are relatively promising, i.e. smart card systems are a security risk 
with respect to such attacks. 

Some systems attempt to protect users from theft of the signature key. Both PINs 
and biometric methods are employed. Attacks on the trust model (TMA) are not even 
discussed by most providers of authentication systems. 

In the following, a conventional system combining digital signatures and the 
measurement of biometric features shall be described. Both the customer's private sig- 
nature key and a sample or prototype (the so-called template) of the digital representa- 
tion of the measured biometric feature are present in stored form. The following spe- 
cific authentication steps are taken. The user identifies himself, for example by enter- 
ing a PIN or by a biometric feature being read. The biometric data are validated by 
comparison with a template. If the distance of the measured feature from the prototype 
is smaller than a threshold value, the transaction is enabled. This comparison is ef- 
fected in readers or a central clearinghouse. In the latter case the biometric data - en- 
crypted or in plaintext - are transferred over networks. The private signature key is 
released. The user identifies himself by signing the document digitally. The RSA 
method or another asymmetric encryption method is usually irnplemented. It is fre- 
quently implemented on a smart card or other tamper-resistant hardware. The signed 
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hardware. The signed document is transferred over a network. The cryptographic 
operation is validated by means of the user's public signature key. 

The security of said methods is based on the private signature key not leaving the 
smart card. "Man in the middle" attacks (MMA) on the private signature key itself are 
thus impossible as long as the smart card remains in the legitimate owner's hands. 

An example of a method wherein both the customer's private signature key and a 
prototype of the digital representation of the measured biometric feature are present in 
stored form can be found in WO 09912144 Al. 

The method proposed in WO 09912144 A 1 provides that the template is present 
in stored form in a central clearinghouse. The latter digitally signs in the user's name if 
the distance of the measured biometric feature from the prototype is smaller than a 
threshold value. 

However, the method proposed in WO 09912144 Al has the disadvantage that it 
inherently involves some security problems. Firstly, the user must trust the reader into 
which the biometric feature is read, the clearinghouse and the public networks. Fake- 
terminal attacks are thus possible. Then the digital representation of the biometric fea- 
ture can be read into the reader (so-called replay attack (RA)). Secondly, attacks on the 
reader or on the entity in which the template is stored (SKT) are also possible. Such 
attacks are aimed at reading the template of the digital representation of the measured 
biometric feature. Such attacks can also be performed online (MMA). Thirdly, the data 
associated with the template of the digital representation of the measured biometric 
feature can be exchanged (STX). 

WO 09850875 describes a so-called biometric identification method using a digi- 
tal signature method and biometry. This method prevents the template of the digital 
representation of the measured biometric feature from being exchanged (STX) by stor- 
ing it in a so-called biometric certificate. The template, as well as user data associated 
therewith, are validated and digitally signed by a certifying authority. This prevents the 
user data associated with the template from being exchanged. However, the disadvan- 
tage is that this cannot exclude the possibility of replay attacks. 

WO 98/52317 likewise describes a digital signature method. The method accord- 
ing to WO 98/523 17 attempts to thwart STT and STX attacks by doing without storage 
of the digital representation (template) of the biometric feature (BM). In an initializa- 
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initialization phase the BM is used to create a so-called instance, i.e. representative or 
specific example of a class, of a problem whose solution is the BM. The digital 
representation is thus not explicitly stored, but hidden in the instance of the problem. 
WO 98/523 17 proposes designing the problem so that the digital representation is 
hidden in a mass of similar data (camouflage). 

The capture of a biometric feature for further computer-aided processing presup- 
poses analog-to-digital conversion, which will often yield rounding errors in the digi- 
tized measured values since the resolving power is always finite, albeit very exact. 
Furthermore, it is unrealistic to assume that the user will always adopt exactly the 
same positions with respect to the measuring sensor system when biometric features 
are captured. Measurements of behavioral biometric features involve the additional 
problem that the user cannot be expected to exactly replicate his behavior twice. How- 
ever, the point of using biometric features is precisely their absolutely unique associa- 
tion with a person (e.g. fingerprint, retina, etc.). Therefore, information about the nec- 
essary fault-tolerance or about how the varying measured values are to yield a unique 
association is imperative. WO 98/52317 provides no information about how great the 
fault-tolerance of this method is. It likewise remains unclear how great the amount of 
camouflaging information must be for the solution to the problem not to be read. This 
is a necessary condition for quantifying or even just estimating the security of the 
method. 

DE 4243908 Al attempts to prevent PKT, TA, STT and STX attacks by doing 
without storage of the private signature key and without storage of the digital represen- 
tation of the biometric feature. This is done in the following way. Biometric feature 
ABM is measured. Biometric feature ABM is digitized. From the digital representation 
of the biometric feature a so-called fixed-length individual value IW is calculated. 
From individual value IW the sender*s private signature key SK(A) is calculated. The 
message is encrypted by means of said key SK(A). 

However, it is disadvantageous that the calculation of IW is to be done by means 
of function f, which has a certain fault-tolerance, since it is unclear how this fault- 
tolerance, which is of crucial importance, is to be determined for such a function. The 
application requires merely that it assign the same individual value to two users "only 
with such low probability as is compatible with the security of the system." It is like- 
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likewise disadvantageous that it is unclear which functions or classes of functions are 
to have the properties required in the application. The description of the application in- 
stead permits the conclusion that, although collision fireedom is required for function f, 
i.e. it should be impossible to find two input values for the same function value, it is 
nevertheless to have a certain fault-tolerance. Such a function having these diametri- 
cally opposed conditions can by definition not exist. The resuU of this is that invaria- 
bly reproducible generation of the same private key firom new measured values of the 
same biometric feature is not possible fi-ee of doubt, i.e. signed documents or data can- 
not be identified or authenticated with known public keys. 

US005832091 A describes a method for obtaining a unique value fi-om a finger- 
print. This method works as follows. In a first step the fingerprint is Fourier trans- 
formed. Then the Fourier coefficients are subjected to imaging which depends on the 
template of the fingerprint and the resolution of the measuring instrument. From the 
inverse transform a unique value is obtained firom which a signature key can be deter- 
mined. The method has the following disadvantages, however. The method works only 
for fingerprints, the method requires a Fourier transform, for the imaging dependent on 
the template it cannot be determined how much information about the template it re- 
veals. Thus, it is not possible to quantify the security against brute-force attacks, and 
the method only corrects errors which are due to the resolving power of the measuring 
instrument. It remains unclear whether errors resulting e.g. from dirt or small injuries 
of the fingertips are also corrected. 

All stated methods thus share the disadvantage of not permitting any quantitative 
statements about the computing effort of a brute-force attack and thus the protection 
from decryption. Thus, they are inaccessible to quantification of the protection by bi- 
ometry. 

In contrast, the invention is based on the problem of providing a method for pro- 
tecting data that has increased security compared to prior art methods. 

Further, it is a problem of the invention to provide a method permitting safe en- 
cryption of the signature key with the aid of biometric features. 

A fiirther problem of the invention is to provide a possibility of quantifying the 
protection of encryption by biometry in such a method. 

These problems are solved by the features stated in claims 1 and 21. 



According to the application the invention uses a signature method wherein the 
private or secret key (signature key) is encrypted with data obtained from a biometric 
feature of the owner of the private key. The encryption achieves a guarantee to the ef- 
fect that the person who has given his digital signature with the aid of the signature 
key is in fact the rightful owner. 

In a first step, a biometric feature of the owner of the signature key, preferably 
his handwritten signature, is provided in the authentication phase (verification). 
Measuring data are obtained from the biometric feature. 

In a second step, the measuring data of the biometric feature are digitized for ac- 
quisition and further processing thereof. 

In a third step, the signature key is recovered. The signature key is first decrypted 
on the basis of the biometric feature measured in the authentication phase, and then 
recovered on the basis of a coding-theory method. Alternatively, the biometric feature 
measured in the initialization phase can first be recovered on the basis of a coding- 
theory method fi-om the biometric feature measured in the authentication phase. This 
then decrypts the signature key. The correction capacity of the error-correcting method 
is freely selectable, i.e. the original, fault-tolerant coded value is only recovered if the 
input of the error-correcting method does not deviate too far. 

In the method according to the application, there is no storage at any point of se- 
cret data, i.e. the signature key and the digitized feature data or secret parts thereof, so 
that it is impossible to exchange or steal the prototype of the biometric feature. There- 
fore, this method according to the application guards against the following possibilities 
of attack: 

• KA by using an asymmetric encryption method; 

• PKT attacks are impossible since the signature key is not stored; 

• STT and STX attacks are likewise prevented since the digital representation of 
the biometric feature, or the relevant secret part thereof, is not stored. 

• MMA attacks are prevented since the biometric feature is not transferred over a 
data network. 

• In an advantageous embodiment, RA attacks are prevented by the biometric fea- 
ture not being read into an external reader. In another advantageous embodi- 
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embodiment presupposing external readers, RA attacks are impeded compared 
to the prior art since the method in particular according to claim 7 rejects two 
exactly identical digital representations of the biometric feature. 

Claim 2 shows an advantageous embodiment of an initialization phase (enrol- 
ment) to the authentication phase of the method according to the application. In one 
step the relevant biometric feature is accordingly digitized. In a further step, secret 
data are provided. In case of a public-key method the key generation necessary for an 
asymmetric signature method, i.e. the generation of a signature key, is effected. In a 
further step, the secret data are coded fault-tolerantly on the basis of a coding-theory 
method and encrypted on the basis of the biometric feature. 

Claim 3 shows an advantageous embodiment of the initialization phase. The se- 
cret data are first coded fault-tolerantly. The resulting code word is longer than the 
original message; the redundant information serves to decode a message in which 
some bits are flipped. The code word then is encrypted on the basis of the biometric 
feature. 

Claim 4 shows an advantageous embodiment of the method described in claim 3. 
The code word is generated by the secret data being multiplied with a generating ma- 
trix. This is for example an efficient method for representing the space of allowed code 
words. 

Claim 5 shows a variant of the initialization phase. The secret data (message) are 
not changed by the coding. Instead, separate correction data are created. Said data de- 
scribe the space of allowed code words. 

Claim 6 shows an advantageous embodiment of the authentication phase. The 
encrypted code word is first decrj^ted on the basis of the biometric feature. The en- 
cryption method is to have the property that single flipped bits have no influence on 
other bits. A suitable encryption method is the application of the bit-by-bit exclusive- 
OR rule (XOR). 

Claim 7 shows a further variant of the initialization phase. Separate correction 
data are created in dependence on the biometric feature. 

Claim 8 shows a variant of the authentication phase. Separate correction data are 
first created in dependence on the biometric feature. In a further step, the biometric 
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feature measured in the initialization phase is recovered. This is done on the basis of 
said correction data, i.e. the correction data created in the initiahzation phase and the 
biometric feature measured in the authentication phase. In a further step, the secret 
data are decrypted on the basis of the recovered biometric feature data. 

Claim 9 shows a variant of the method described in claim 7. The correction data 
are created by calculation of parameters obtained from the biometric feature modulo n. 
On the basis of said data, values whose deviation from the true value is smaller than or 
equal to n are mapped onto the tme value, while values whose deviation is greater than 
n are mapped onto a random value. 

Claim 10 shows a variant of the method described in claim 8. The authentication 
correction data are created, as in the method described in claim 9, calculation of pa- 
rameters obtained from the biometric authentication feature modulo n. The biometric 
feature data are recovered by determining the difference of the residues. This is exactly 
the difference of the values when the deviation is smaller than n. 

Claim 1 1 describes an embodiment wherein the correction method is user- 
specific. This permits the correction capacity to be adapted to the variance of the bio- 
metric features within a user. 

According to claim 12, the digitized feature is additionally broken down into a 
public and a nonpublic or secret part within the second step for providing a possibility 
of quantifying the effort of brute-force attacks and thus, if the system is suitably de- 
signed, a general quantification of the system with respect to protection by biometry. 
Since only the nonpublic part of the biometric feature is used for coding the signature 
key, the effort for a bmte-force attack remains quantifiable. 

According to claim 13, empirical inquiries are preferably used for breaking down 
the digitized biometric feature data since they are most easily performed at present. 

According to claim 14, a hash value is preferably created with the aid of a hash 
function from the digitized biometric feature data or from the nonpublic portion 
thereof for coding the private key or signature key. This has the advantage of reducing 
the feature data to a fixed-length bit string and thus also simplifying the coding of the 
affiliated signature key, which can then be easily performed with an XOR operation 
for example. 
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According to claim 15, a hash value is still preferably created with the aid of a 
hash function from the digitized biometric feature data created in the authentication 
phase, said value being compared with already stored hash values of preceding authen- 
tications. Since the hash function is a special form of so-called one-way functions, it 
has the property of collision freedom. The term collision freedom is understood in 
cryptography to mean that similar but not identical texts are to yield completely differ- 
ent check sums. Each bit of the text must influence the check sum. This means, in 
simplified terms, that the function always yields exactly one identical output value of 
fixed bit length in case of identical input values. This property is exploited by the 
method according to the application, since it is virtually impossible to obtain exactly 
two identical measuring data records when the same biometric feature is repeatedly 
captured, as mentioned above. If comparison between the current and the stored hash 
values therefore leads to a positive result, this is a strong indication of the possibility 
that a replay attack is involved. Security can accordingly be guaranteed by aborting 
authentication. 

According to claims 16 and 17, the biometric features to be used for the method 
in question are preferably behavioral biometrics. These have the advantage of being 
difficult to imitate. Simple copying of patterns or features is virtually excluded. 

According to claim 17, the method according to the application uses the hand- 
written signature as the behavioral biometric since it can be easily broken down into 
dynamic and static portions, which in turn serve to break down the biometric feature 
into secret and public parts. 

According to claim 18, the handwritten signature is preferably broken down into 
a public and a secret part such that the secret part of the signature is a proper subset of 
the dynamic information, thereby making quantification possible or keeping it possi- 
ble. 

According to claim 19, the biometric feature in question is measured and digi- 
tized several times in order to improve the fault-tolerance or determination of variance 
of the biometric feature data when they are digitally captured. 

According to claim 20, a conventional public-key method is preferably proposed 
for key generation since it is widespread and works reliably. 
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According to claims 21 to 27, an apparatus is proposed for carrying out the 
method according to the application in a simple way. 

The method according to the application thus permits the protection of data to an 
increased extent compared to the prior art. In addition the method according to the ap- 
plication permits coding or encryption of the signature key without creating new weak 
points for attacks on the signature method by storage of secret data. The method and 
apparatus according to the application furthermore permit safe authentication of per- 
sons or groups. The method according to the application furthermore makes it possible 
to determine fi-om a biometric feature a reproducible value which can be used as the 
input for a cryptographic method, for example PIN or RSA. Also, the method and ap- 
paratus are fundamentally accessible to quantification for protection by biometry, i.e. 
estimation of the effort of a brute-force attack. Unlike the method according to the ap- 
plication, existing methods cannot exclude other attacks such as SST or STX, i.e. en- 
sure that brute force is the best method of attack. Brute force is the only attack which 
is at all quantifiable, unlike e.g. theft of the biometric prototype or the like. If the se- 
cret portion of the biometric feature is at least as long as the signature key itself, an 
attack on the biometric feature requires at least as much effort as a brute-force attack 
on the signature key. This permits a numerical statement of the effort at least necessary 
for guessing the signature key with brute-force attacks. It is thus possible to quantify 
the security of the method according to the application, which uses a signature method 
with additional encryption of the signature key by biometry for protecting data. 

Further features and advantages of the invention can be found in the subclaims 
and following description of an example with reference to the drawing, in which: 

Fig. 1 shows a course of a transaction of a conventional smart card system using 
an authentication method with a digital signature; 

Fig. 2 shows a course of a conventional transaction using digital signatures; 

Fig. 3 shows a course of a conventional transaction using digital signatures and 
an additional authentication step; 

Fig. 4 shows a schematic representation of the comparison of the correction data 
from the initialization and authentication phase according to the application; 
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Fig. 5 shows a flowchart of the initialization and authentication phase according 
to the application; 

Fig. 6 shows a table stating possibilities of attack and their countermeasures on 
digital signature methods additionally using biometry. 

Fig, 7 shows the transfer of the coding and decoding stage of a coding-theory 
method to the correction of erroneous biometric features. 

In the following, electronic transactions will be discussed as an example of appli- 
cation for the initialization and authentication method. 

In electronic transactions it is of central importance that the identity of the parties 
to the transaction and the integrity of the transaction data can be clearly ascertained. 
There are different methods in use for authenticating the identity of the parties to the 
transaction. 

In identification by knowledge, identification is effected by a shared secret, in 
practice usually a password, passphrase or PIN. In identification by possession, identi- 
fication is effected via the signature key, personal identification card, etc. In identifica- 
tion by biometry it is done by fingerprint, retinal pattern. 

Different combinations of said methods are likewise possible. Thus, someone 
making transactions with an ec card will identify itself by possession (the card) and by 
knowledge (the PIN). 

Some authentication methods cannot meet high security requirements. Thus, 
identification by knowledge always involves the danger of users writing down the 
passphrase or PIN. Furthermore, passphrase or PIN can be determined cryptanalyti- 
cally from stored data. To counteract such dangers, many new authentication methods 
use digital signatures. Digital signatures have a further advantage. They simultane- 
ously ensure the integrity of the signed data: signature and data are inseparably inter- 
woven. 

Digital signatures stored on a smart card or another portable medium are only a 
special case of "identification by knowledge." Therefore, they are frequently protected 
additionally by a PIN or biometry. 

Fig. 2 shows a conventional transaction using digital signatures. The transaction 
includes the following steps. A certifying authority issues certificates and/keeps direc- 
tories which assign a rightful owner to each digital signature. The signer signs a con- 
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contract. The payee validates the signature on the basis of the signer's public key. The 
payee might consult the directory kept by the certifying authority. 

This form of transaction has several disadvantages. The payee is dependent on 
knowing the signer*s public key; there is ultimately only an association of the payment 
with a private signature key, i.e. it is first unclear whether the rightful owner of the key 
is actually the person who signed the contract; and the customer and the payee must 
agree on a format. 

In some methods, the customer can only sign the contract after previously identi- 
fying himself The method then takes place as shown in Figs. 1 and 3. In Fig. 1 data 
existing only temporarily are framed with dotted lines, and data existing for a longer 
time with continuous lines. Fig. 3 shows a conventional transaction with a digital sig- 
nature and authentication. Authentication can be effected by measuring a biometric 
feature. The payee is dependent on knowing the signer's public key and a sample of 
the feature. It must be heeded that a digital representation of the measured biometric 
feature is transferred over a data network. Then the merchant side compares the meas- 
ured biometric feature with a stored sample (template). In this connection attacks are 
possible, namely MMA, RA, STT, STX. 

Fig. 5 shows the signature method according to the application in a schematic 
flowchart. The two independent methods of the initialization and authentication phase 
are shown jointly. It includes the following steps. Firstly, in an initialization phase the 
user's biometric feature is measured and digitized. This is referred to as prototype P of 
the feature. The biometric feature might be measured several times. In this case, proto- 
type P is determined fi:om several measured values and used for initializing the appara- 
tus. Ideally, prototype P is then broken down into a public and a secret part. On no 
account is a complete biometric feature, secret parts of a feature or a prototype thereof 
stored. Secondly, in a second initialization step correction data are calculated from 
prototype P to permit the reconstruction of measured biometric features when they are 
within a freely selectable tolerance interval. Thirdly, in a third initialization step the 
data necessary for carrying out the cryptographic method are calculated. Fourthly, in a 
fourth initialization step the private data of the cryptographic method are linked in 
suitable fashion with prototype P or parts of P. Fifthly, in the authentication phases the 
user's biometric feature is measured and digitized again. In the preferred embodiment 
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embodiment the biometric feature is the user's signature, with dynamic characteristics 
of the signature being captured as well. The user can write his signature on the display 
of the apparatus. It is to be heeded that he is not asked to leave his biometric feature 
with "external" devices. This impedes theft of the biometric feature. Sixthly, the 
biometric feature is optionally broken down into a "classification part" and a 
"verification part." The "classification part" includes only publicly accessible 
information. If preliminary association of the biometric feature with a user on the basis 
of the information of the "classification part" fails, the user is rejected. The 
"verification part" includes only publicly inaccessible information. In the preferred 
embodiment this may be the dynamic characteristics of the signature. Seventhly, firom 
the "verification part" or other information accessible only to the legitimate owner of 
the secret key, prototype P, or a value calculated therefi-om, is reconstructed, being 
associated with the user in unique fashion. Collision fireedom of the association rule 
with respect to different users is required. Eighthly, from this value - and optionally 
additional files - a fixed-length value is generated by means of a coUision-firee 
fiinction, whose inverse fimction is difficult to calculate. An example of such a 
function is Message Digest 5 (MD5). This value serves as a starting value for 
determining the private signature key. Alternatively, the private signature key is 
determined directly from value P. Ninthly, the apparatus signs the bill or parts of the 
bill. The signature key is then immediately deleted. 

In the following, the reconstruction of value P in the authentication phase will be 
described more exactly. An algorithm having the following properties is used for map- 
ping onto value P: a) it maps legitimate input values, for example digitized biometric 
features, reliably onto value W. In the present case this is prototype P\ b) it does not 
map illegitimate input values onto value W; c) it is scalable with respect to the allowed 
variance of legitimate values; d) the mapping fiinction is discontinuous outside the in- 
terval in which the legitimate input values lie. This means that gradient methods are 
not applicable; e) it permits no conclusions on properties of legitimate input values. 

Properties a), b) and c) describe the reliability of the method. Properties d) and e) 
say that analysis of the method for calculating value offers no advantages to an at- 
tacker. This means that the effort of an. attack on the system equals the effort of a 
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brute-force attack. However, this only holds if the input values - for example parts of 
the biometric data - are not public. 

The abovementioned requirements are fulfilled by the decoding stages of com- 
mon error correction methods. The application of said methods presupposes that value 
W onto which mapping is to be done is coded redundantly in the starting value. 

Fig. 7 shows the transfer of the coding and decoding stage of a coding-theory 
method to the correction of erroneous biometric features. The upper line shows the 
initialization phase. The lower line shows the authentication phase. In the initialization 
phase the secret data (e.g. the private key in a public-key method) are first mapped 
onto a legal code word by means of a generating matrix (or generating polynomial). 
The digitized biometric feature (initialization BM) encrypts said code word by the bit- 
by-bit XOR operation. 

In the authentication phase (lower line), the encrypted code word is decrypted by 
a biometric feature measured at a later time (the authentication BM). Since the biomet- 
ric authentication feature does not exactly match the biometric feature measured in the 
initialization phase, an erroneous code word results. This can be reconstracted by the 
decoding stage of the coding-theory method. 

In the following, the signature method according to the application described 
above in principle will be described in detail with reference to a preferred example: 

1. Initialization phase 

(a) In an initialization phase the legitimate user signs on a display of the apparatus 
several times. 

(b) The signature is digitized. Static and dynamic information is detected. 

(c) A sample or prototype P of the signature is calculated. 

(d) The variance between the digitized signatures is determined. 

(e) Static infonnation of the signature is stored for classification purposes. 

(f) The dynamic information of the signature is compared with statistical and psy- 
chological information about signatures of the total population. Dynamic infor- 
mation which cannot be obtained with knowledge about the statistical properties 
of signatures and which is characteristic of the signer is classified as "secret." 
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(g) The binary representation of the feature is arranged in squares of edge length n, 
as shown in Fig. 4. The value of n plays no part for the discussion of the 
method. The greater n is, the lower the error rates corrected by the method are. 
The value of n is to be selected so that the method corrects the desired number 
of errors. It is selected on the basis of the variance possibly measured in step 
1(d), statistical, psychological or other knowledge so as to correct the error rate 
expected within a user's measured biometric features. Different error rates can 
be assumed for different partial features. The length of the feature is not secret. 
If the last square cannot be filled completely, a rectangle can be used. Missing 
bits are filled with zeros. 

(h) The parity is noted fi-om each line and each column. That means 2n-l independ- 
ent values. 

(i) The parities are stored for example in the apparatus according to the applica- 
tion. Although they could likewise be protected in principle, they will be re- 
garded as public information in the following. This leaves (n-l)2 secret bits per 
square. 

(j) In the last square the parities of several columns are combined so that the pari- 
ties belong to constant colunm lengths. 

(k) All signatures are deleted. 

(1) For a suitable public-key method a key pair is generated. 

(m) The secret key is protected with the aid of the binary representation of the fea- 
ture, e.g. by storing the bit-by-bit XOR of the secret key with the biometric fea- 
ture (or the hashed value thereof) and deleting the secret key. 

(n) Statistical data on the total population to be regarded as commonly accessible 
are used to determine number N of the bits of the feature which are to be re- 
garded as secret because they neither can be guessed nor are used up for error 
correction. Due to the error correction information the number of bits to be 
guessed in an attack can be reduced by 2n-\ per square since the attacker knows 
the correction method. The resulting number is a measure of the security of the 
method. 

(o) r , All secret parts of the prototype of the signature are deleted, 
(p) A key pair comprising a public and a secret key is generated. 
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(q) Value P and the private signature key are deleted. 
2, Authentication phase 

(a) In an authentication phase the legitimate user signs on the display of an appara- 
tus 

(b) The signature is digitized with a suitable input device; static and dynamic in- 
formation is detected. That can be in particular the same device as in the ini- 
tialization phase. 

(c) A hash value of the digitized signature is calculated. This can be compared in 
following authentication phases with the hash values of new signatures. Those 
digitized signatures are rejected which exactly match previously written signa- 
tures. This impedes replay attacks. 

(d) Public information of the signature is used for classification purposes if the ap- 
paratus was initialized for several users. 

(e) The binary representation of the feature is entered into the squares of the 
initialization phase. 

(f) The parities of the lines and columns are calculated. 

(g) Any one -bit errors are localized by comparison with the stored parities, and cor- 
rected. (See Fig. 4.) 

(h) If there is more than one error in a square, correction fails. That is the case in 
particular if an insufficient forgery was inputted. 

(i) The corrected feature is used for recovering the secret key of the public-key 
method. In the exemplary method from l(m) the bit-by-bit XOR of the feature 
(or hashed value) is calculated with the result of l(m). This value is the secret 
key. 

(j) The document to be signed is signed by means of the newly generated private 
key. 

(k) The private signature key is deleted. 
(1) The signed document is transferred. 

(m) The error correction function permits no conclusions on how far away the digi- 
tized biometric feature is from the boundary of the correction interval. Gradient 
methods are therefore not a suitable possibility of attack. 
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Claims 



1 . A method for protecting data having an authentication phase with the following 
steps: 

(a) providing a biometric feature; 

(b) digitizing the biometric feature to create digitized biometric authentica- 
tion feature data; 

(c) decrypting an encrypted code word on the basis of the digitized biomet- 
ric authentication feature data; 

(c) recovering secret data by means of a decryption of the code word on the 
basis of the digitized biometric authentication feature data and on the ba- 
sis of a coding-theory method with a correction capacity, the correction 
capacity being freely selectable. 

2. A method according to claim 1 having an initialization phase with the following 
steps: 

(a) providing a biometric feature; 

(b) digitizing the biometric feature to create digitized biometric feature data; 

(c) providing secret data; 

(d) encrypting on the basis of the digitized biometric feature data and fault- 
tolerantly coding the secret data. 

3. A method according to claim 2 having the consecutive steps: 

(a) fault-tolerantly coding the secret data to create a code word; 

(b) encrypting the code word on the basis of the digitized biometric feature 
data to create an encrypted code word. 

4. A method according to claim 3, wherein the code word is generated by a generat- 
ing matrix. 

5. A method according to claim 2 having the following step: creating initial correc- 
tion data to describe the space of allowed code words. 

6. A method according to claim 2 having the following step: providing initialization 
correction data on the basis of the digitized biometric feature data. 

7. A method according to claim 1 having the following steps: 
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(a) creating authentication correction data on the basis of the digitized bio- 
metric authentication feature data; 

(b) recovering the digitized biometric feature data on the basis of the authen- 
tication and initial correction data; 

(c) decrypting encrypted secret data on the basis of the recovered digitized 
biometric feature data. 

8. A method according to claim 6, wherein the initial correction data are created by 
calculation of the digitized biometric feature data modulo n. 

9. A method according to claim 7, wherein the authentication correction data are cre- 
ated by calculation of the authentication feature data modulo n. 

10. A method according to claims 2 to 9 having user-specific initial correction data 
and/or user-specific fault-tolerant coding. 

11. A method according to any of claims 2 to 101, wherein a public and a secret part 
are determined or estimated from the biometric feature. 

12. A method according to claim 11, wherein the separation into a public and a secret 
part of the biometric feature is effected with the aid of empirical inquiries. 

13. A method according to claims 1 to 1 1, wherein a hash value is created from the 
digitized biometric feature data with the aid of a hash fimction. 

14. A method according to any of claims 1 to 13, wherein a hash value is created 
from the digitized biometric authentication feature data with the aid of a hash 
fimction. 

15. A method according to any of the above claims, wherein the biometric feature is 
a behavioral biometric. 

16. A method according to any of the above claims, wherein the biometric feature 
consists of a handwritten signature. 

17. A method according to any of the above claims, wherein the handwritten signa- 
ture is broken down into a public and a secret part and the secret part is a proper 
subset of the dynamic information of the signature. 

18. A method according to any of the above claims, wherein the providing and/or 
digitizing of the biometric feature is effected several times. 

19. A method according to any of the above claims, wherein the secret data are gen- 
erated with a public-key method. 
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20. An apparatus for carrying out the method according to any of the above claims, 
having: 

(a) means for digitizing a biometric feature to create digitized biometric fea- 
ture data; 

(b) means for providing secret data; 
characterized by 

(c) means for fault-tolerantly coding and decoding the secret data; and 

(d) means for encrypting and decrypting the fault-tolerantly coded secret 
data with the aid of the digitized biometric feature data. 

21. An apparatus according to claim 20 having means for creating code words. 

22. An apparatus according to claim 20 having means for creating initial correction 
data. 

23. An apparatus according to any of claims 20 to 22 having means for providing a 
hash value. 

24. An apparatus according to any of claims 20 to 23 having means for breaking 
down the biometric feature into a public and a secret part. < 

25. An apparatus according to claim 24 having means for breaking down into a pub- 
lic and a secret part of the biometric feature with the aid of statistical inquiries. 

26. An apparatus according to claims 20 to 26 further having means for capturing a 
handwritten signature as a biometric feature. 
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Abstract 

Method for protecting data 

A method is described for identifying and initiahzing digitized biometric features 
to provide encryption or coding of secret data. 
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